fix: remove vulnerable dependency combine-lists (#3273)

SteinRobert · johnjbarton · commit c43f58427227 · 2019-02-20T07:32:11.000-08:00
Remove `combine-lists` as a dependency. Use `_.union` instead now. Fixes #3265
diff --git a/lib/preprocessor.js b/lib/preprocessor.js
@@ -3,7 +3,7 @@
 const fs = require('graceful-fs')
 const mm = require('minimatch')
 const isBinaryFile = require('isbinaryfile')
-const combineLists = require('combine-lists')
+const _ = require('lodash')
 const CryptoUtils = require('./utils/crypto-utils')
 
 const log = require('./logger').create('preprocess')
@@ -63,7 +63,7 @@ function createPreprocessor (config, basePath, injector) {
 
   let allPreprocessors = []
   patterns.forEach((pattern) => {
-    allPreprocessors = combineLists(allPreprocessors, config[pattern])
+    allPreprocessors = _.union(allPreprocessors, config[pattern])
   })
   allPreprocessors.forEach(instantiatePreprocessor)
 
@@ -92,7 +92,7 @@ function createPreprocessor (config, basePath, injector) {
         let preprocessorNames = []
         patterns.forEach((pattern) => {
           if (mm(file.originalPath, pattern, {dot: true})) {
-            preprocessorNames = combineLists(preprocessorNames, config[pattern])
+            preprocessorNames = _.union(preprocessorNames, config[pattern])
           }
         })
 
diff --git a/package.json b/package.json
@@ -383,7 +383,6 @@
     "braces": "^2.3.2",
     "chokidar": "^2.0.3",
     "colors": "^1.1.0",
-    "combine-lists": "^1.0.0",
     "connect": "^3.6.0",
     "core-js": "^2.2.0",
     "di": "^0.0.1",
@@ -393,7 +392,7 @@
     "graceful-fs": "^4.1.2",
     "http-proxy": "^1.13.0",
     "isbinaryfile": "^3.0.0",
-    "lodash": "^4.17.5",
+    "lodash": "^4.17.11",
     "log4js": "^4.0.0",
     "mime": "^2.3.1",
     "minimatch": "^3.0.2",
